Back to KEVs

CVE-2024-9644

Four-Faith F3x36 bapply.cgi Auth Bypass

Basic Information

CVE State
PUBLISHED
Reserved Date
October 08, 2024
Published Date
February 04, 2025
Last Updated
February 04, 2025
Vendor
Four-Faith
Product
F3x36
Description
The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to an authentication bypass vulnerability in the administrative web server. Authentication is not enforced on some administrative functionality when using the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint. A remote and unauthenticated can use this vulnerability to modify settings or chain with existing authenticated vulnerabilities.
Tags
edge

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score
0.34% (Percentile: 56.13%) as of 2025-06-20

SSVC Information

Exploitation
none
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-06-18 00:00:00 UTC) Source

References

https://vulncheck.com/advisories/four-faith-hidden-api

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-06-19 12:00:28 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel